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DETAILED ACTION 



Examiner's Amendment 

An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given In a telephone interview 
with Arthur J. Samodovitz (Reg. No. 31 ,297) on 5/8/2006. 

This application has been amended as follows: 
IN THE CLAIMS 
Cancel claims 1 - 30. 

> 

Replace claims 31 and 32 as follows. 



Claim 31: 

A method of detecting intrusions, said method comprising the steps of: 
storing a plurality of intrusion signatures; 

automatically detecting a multiplicity of system events having respective 
signatures; 
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comparing each of the multiplicity of system event signatures to said plurality of 
intrusion signatures, one of said system event signatures not matching any of said 
intrusion signatures and not corresponding to an intrusion, and other of said system 
event signatures matching respective ones of said intrusion signatures; and 

storing said one system event signature in association with said plurality of 
intrusion signatures not corresponding to an intrusion : 

recording a number of times that said each of said intrusion signatures 
matches a respective one of said system event signatures; 

recording a number of times that said one system event has occurred; 

subsequently ordering the stored plurality of intrusion signatures and said one 
system event signature based on the respective number of times that have been 
recorded for said plurality of intrusion signatures and said one system event signature, 
such that the signature for which the most number of times has been recorded is first in the 
ondenand 

subsequently comparing a signature of a subsequent system event with said 
signatures in said order until finding a match between said subsequent system event 
signature and one of said signatures in said order. 

Claim 32: 

A system for detecting intrusions, said system comprising: 
a table storing a plurality of intrusion signatures; 
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means for detecting a multiplicity of system events having respective signatures; 

means for comparing each of the multiplicity of system event signatures to said 
plurality of intrusion signatures, one of said system event signatures not matching 
any of said intrusion signatures and not corresponding to an intrusion, and other of 
said system event signatures matching respective ones of said intrusion signatures; 

means for storing said one system event signature in association with said 
plurality of intrusion signatures not corresponding to an intrusion : 

means for recording a number of times that each of said intrusion signatures 
matches a respective one of said system event signatures; 

means for recording a number of times that said one system event has occurred; 

means for subsequently ordering the stored plurality of intrusion signatures and 
said one system event signature based on the respective number of times that have 
been recorded for said plurality of intrusion signatures and said one system event 
signature, such that the signature for which the most number of times has been 
recorded is first in the order; and 

means for subsequently comparing a signature of a subsequent system event 
with said signatures in said order until finding a match between said subsequent system 
event signature and one of said signatures in said order 
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Allowable Subject Matter 

1 . Claims 31 and 32 are allowed. 

2. The following is an examiner's statement of reasons for allowance: 

The above mentioned claims are allowable over prior arts because the CPA 
(Cited Prior Art) of record fails to teach or render obvious the claimed limitations in 
combination with the specific added limitations, as recited in independent claims 31 and 
32. 

The prior art Vaidya fails to teach or suggest means for subsequently ordering the 
stored plurality of intrusion signatures and said one system event signature not 
corresponding to an intrusion based on the respective number of times that have been 
recorded for said plurality of intrusion signatures and said one system event signature, 
such that the signature for which the most number of times has been recorded is first in 
the order. Besides, the prior art fail to teach compare each of the multiplicity of system 
event signatures to said plurality of intrusion signatures, one of said system event 
signatures not matching any of said intrusion signatures and not corresponding to an 
intrusion, and other of said system event signatures matching respective ones of said 
intrusion signatures; and storing said one system event signature in association with 
said plurality of intrusion signatures not corresponding to an intrusion. 
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Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the Issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Longbit Chai whose telephone number is 571-272-3788 
The examiner can normally be reached on Monday-Friday 8:00am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R Sheikh can be reached on 571-272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free), 
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